Security Cloud Privacy Tech

Contact Tracing via Smartphones

Another in my series on CBC Radio’s Ottawa Morning. In this segment, host Robyn Bresnahan and I discuss the growing efforts of tech companies to help track the spread of COVID-19.



Robyn: To limit the spread of COVID-19, technology companies say tracking people where, they have been and who they’ve been in contact with will be very important.

And that’s why Apple and Google are teaming up to develop a tool to do just that, and your smart phone could play a big part.

[00:00:15] Mark Nunnikhoven is our technology columnist and joins us on the line this morning. Hi, Mark.

[00:00:20] Mark: Good morning, Robin.

[00:00:21] Robyn: Just explain this tool to us from Apple and Google. How would it work?

[00:00:26] Mark: Yeah. So what it’s going to do is use, the Bluetooth technology already in your phone.

This is what we use to connect wireless headphones to our phones. and it’s going to use that technology to, automatically track and, keep a record of other phones that you’ve been in contact with.

[00:00:42] So my phone would, be broadcasting throughout the day and it would say, “Oh, you saw Robin’s phone.” Now, that would all be anonymized, so it wouldn’t be Mark and Robin, it would be a random string of numbers and digits.

And then if, I, you know, heaven forbid, tested positive for COVID, I would, get a code from my healthcare provider that would allow me to then, submit all of my, keys into a central system that would basically say, “Anybody who’s seen this, this identity from Mark, h- has been exposed.”

[00:01:13] So it’s a way of automating the very, manually intensive task of contact tracing.

[00:01:20] Robyn: What’s your initial thoughts about this, this tool?

[00:01:24] Mark: Very mixed, in that it’s very, tech-typical to think that we can solve this problem with technology. a little bit optimistic in that there’s some really good thought behind this system.

Because it’s Apple and Google, that means, it’s going to be built into the operating systems of our phone, so you don’t need to download an extra app to participate, and that’s where that system has fallen down in other places. but there’s definitely an undercurrent of, privacy challenges.

And bringing up the bigger question of, you know, in the case of a global pandemic, in a massive health emergency, where do we shift the line on privacy?

[00:01:59] Robyn: In terms of, this being on our phones, w- e- w- how easy would it be to opt-in and opt-out of it?

[00:02:05] Mark: That’s a great question, and right now, we’re not quite sure. So Google and Apple have published, white paper so far, so basically just a document.

The Apple one is very technically, and explains the math and the security behind the system. The Google one is very much meant for the public to explain that sort of flow we just walked through.

Both of them had said that their, this system is intended to be opt-in, but until it actually rolls out, we’re not sure.

[00:02:30] Robyn: Has this kind of tracking system, has it already, rolled out in some other countries?

[00:02:36] Mark: There have been attempts. So, the, South Korean, government has made, an initiative, where they were using, location data. think of like, when you watch your crime dramas and they use the cellphone provider, to ping, cellphones off of towers.

They’ve been using that to figure out who’s been where and in pro- proximity to each other. They’ve also used an app, that they pushed out, and that’s been met with mixed success because they haven’t had the adoption, because people have to go out and download that app.

[00:03:02] Similarly in the, UK, the NHS is trying, the same kind of thing though. They’ve now pivoted to try to support the Apple and Google initiative. but the most successful has been in China.

Obviously China has a different approach, to requiring citizen’s participation in things, and they have a system in place where, they have apps on everybody’s phone, and they’ve partnered up with big companies like, Alibaba’s, subsidiary, Alipay, which most citizens already use for mobile payments, to, have basically like, a health code, on your app.

So you can be red, green or, yellow for warning, and that will allow you or prevent you from doing certain things within the community.

[00:03:39] Robyn: How, how do you think, this strikes the balance in trying to protect people from COVID versus, as you say, raising some red flags about privacy concerns?

[00:03:49] Mark: Yeah. And that’s a challenge. So a lot of this is just speculation at this point because it’s not out there yet, but, you know, we need to figure this stuff out b- ahead of time.

And the good news is, the underpinnings of this system, the math and the security controls in place, are very, very solid. Apple and Google both have some very strong, security engineers and they’ve built a really reasonable system.

The challenge is, at some point, the anonymous system that’s tracking all, you know, which phones have seen which other phones, has to be, pulled back, the veil has to be pulled back because I, as a, as a patient, as someone diagnosed, will be submitting and saying, “All of my IDs need to be flagged and warned.”

[00:04:26] So at some point, all this great anonymization gets pulled back into the people realm, and that’s where the real weakness in these systems are is, at, who do you allow to see that it was Mark instead of a random ID that submitted a f- a positive test and h- who gets what depth of data?

And that’s always the challenge with these systems is, we can build a really strong technical system, but at some point, people need to use it, and that’s always where the weakness is when it comes to privacy.

[00:04:53] Robyn: Yeah. Good point. Okay, still lots of questions, but Mark, thanks very much for, answering some of them.

[00:04:59] Mark: Thank you.

[00:04:59] Robyn: That’s Mark Nunnikhoven. He’s our technology columnist. He’s also the vice president of cloud research at Ottawa cyber security firm, Trend Micro.